Thursday , March 28, 2024

Repelling the Card-Not-Present Fraud Assault

The payment card world is bracing for a spike in card-not-present fraud now that the U.S. is an EMV country. What’s to be done?

The U.S. became an “official” EMV country Oct. 1 by virtue of its point-of-sale liability shift. As credit and debit cards with EMV chips and payment terminals that can read them proliferate, counterfeit and lost-and-stolen card fraud in face-to-face transactions will be much harder for criminals to carry out.

But, say the experts—and there are only a few dissenting voices—the downside is that EMV is spurring fraudsters to turn their attention to card-not-present channels such as mail order/telephone transactions, and especially the Internet. In the CNP world, EMV cards provide no more protection than the magnetic-stripe cards they’re replacing.

“Every country where chip cards are introduced, fraud has leaped to where business is more insecure,” says Michael A. “Mike” Keresman, chief executive of CardinalCommerce Corp., a Mentor, Ohio-based provider of risk-control and payment services for e-commerce. “Those crooks aren’t going to go into farming, they’re going to go into the less-secure channel.”

Adds Jeremy King, London-based international director of the PCI Security Standards Council, the body that oversees the Payment Card Industry data-security standard (PCI-DSS) and related sets of rules with which merchants and processors must comply to protect cardholder information: “I think you will have a problem as bad as we have had in Europe.”

‘The Addressable Market’

A 2014 study by Boston-based Aite Group LLC documented the flip-flops between point-of-sale and CNP fraud as EMV payments took hold in several countries, including the United Kingdom, Australia, and Canada.

In the U.K., for example, counterfeit fraud plunged 56% between 2005, when the country had its EMV liability shift, and 2013. Lost-and-stolen card fraud fell by a third in the same period. But card-not-present fraud jumped 64%.

Canada had its Visa and MasterCard EMV liability shifts in 2011, followed by American Express in 2012 and Discover this year. In 2008, CNP credit card fraud losses were about half those of point-of-sale fraud, but the lines crossed two years later and by 2013 CNP fraud was 2.7 times higher.

E-commerce veterans expect the fraudsters to hit the U.S. hard as counterfeiting and lost-and-stolen card fraud becomes more difficult. Aite’s report predicts U.S. credit card CNP fraud losses will more than double from an estimated $3.1 billion this year to $6.4 billion in 2018.

“What we’re finding is the United of America has become the addressable market for card-not-present fraud,” says Neeraj Gupta, product manager at Vantiv eCommerce, the online acquiring unit of suburban Cincinnati-based payment processor Vantiv Inc. Gupta says Vantiv has seen, on average, “a whole percentage point increase” in its CNP fraud rate in the past year and a half.

“The balloon to some degree will get squeezed,” says Justin Bigham, head of consumer product management at Buffalo, N.Y.-based First Niagara Financial Group Inc., a 390-branch bank holding company that has issued 900,000 debit cards and 250,000 credit cards.

‘Putting It All Together’

Just about any merchant that sells goods and services online, over the phone, and by mail can get hit by card-not-present fraud, but digital-goods sellers traditionally have had high fraud rates.

Another category getting hit hard as EMV takes hold is the non-profit sector, whose Web sites fraudsters often use to test stolen card credentials by making small donations, according to Vantiv’s Gupta. The vast majority of those transactions will be charged back by the legitimate cardholders.

“They serve as really great test beds,” he says. “They [fraudsters] are looking for data; they care not at all for the donation itself.”

How to defend against the onslaught? Defense is complicated because it involves not only stopping fraud itself, but approving as many legitimate transactions as possible while avoiding the dreaded shopping-cart abandonment—consumers bailing on making a purchase because there are too many online forms or fields to fill in.

While there are a host of new or updated anti-fraud technologies in the market, or about to come to market—everything from tokenization and encryption to improved fraud screens and biometrics—the best defenses include “a lot of the tried-and-true techniques,” says Gupta.

One of those is the three-digit security code printed on the back of Visa or MasterCard cards known as the card verification value (CVV2) in Visa parlance and card validation code (CVC2) on MasterCard cards.

The technology works the same, and is different from the verification values encoded on the magnetic stripe. The CVV2/CVC2 is an encrypted value determined by elements that include card number and expiration date, according to the Smart Card Alliance trade group. The issuer has the encryption key and can decrypt the code and validate.

Use of the code could be a fraud killer in many CNP transactions, but merchants frequently fail to ask for it. Aite research director Julie Conroy says she doesn’t know how often merchants ask for the CVV2/CVC2, but anecdotally she says two of the last three merchants she talked to don’t use it, and the third asks for it only in 10% of transactions, after other fraud flags are raised.

“I ask merchants why they’re not using it, and it’s that fear of attrition,” she says. “That is the entire driver.”

Some tools, such as the card networks’ address-verification service, are useless if the fraudster has, in addition to a consumer’s correct card data, his or her address also, which often is for sale in underground “carder” forums. So savvy merchants, acquirers, and issuers mine their own data as much as possible to reduce CNP fraud.

“It’s all about how you monitor and do research on what transactions are happening or not happening, monitoring the black market,” says First Niagara’s Bigham. “There’s a lot of analytics.” His company, he says, will “significantly increase the analytics” in the new EMV environment.

Vantiv goes by the mantra of authentication, deviation, and reputation, according to Gupta. Authentication can take various forms—authenticating the cardholder and card—while deviation involves assessing a transaction’s differences from past activity.

Elements here can include transaction velocity and device fingerprinting, which gathers intelligence about the PC, laptop, or mobile device from which the transaction is originating. Somewhat similarly, reputation involves assessing the cardholder’s past behavior to assess risk in the present.

“Once you look out for all these clues, it’s a matter of putting it all together,” says Gupta.

Howls of Protest

Perhaps no anti-CNP fraud technology has been discussed more than 3-D Secure, a 13-year-old system developed by Visa Inc. and branded by that network as Verified by Visa. It’s long been available to other networks and goes by various names. At least a dozen countries mandate or encourage its use in various instances, according to Aite Group.

The technology originally produced a pop-up screen with the issuer’s brand, separate from the merchant’s Web site, that required cardholders to enter a password when making an online purchase. That led to howls of protest from merchants about abandoned sales. In response, the networks and tech companies have been tweaking the technology to make it less obtrusive.

“When we look at it in Europe, it actually does help when it is used,” says King of the Wakefield, Mass.-based PCI Council.

Currently 3-D Secure is undergoing a major re-do under the auspices of EMVCo, the network-controlled standards body that sets chip card technical requirements.

The coming revision will improve mobile-payments security and make overall technical advancements in e-commerce, according to Keresman of CardinalCommerce.

“More important, data will be transmitted at the right place at the right time with a lot less steps,” says Keresman.

CardinalCommerce has built online-fraud control services that augment 3-D Secure and do most of the risk assessments in the background so that the number of transactions requiring data entry is minimal, according to Keresman.

A Good Balance

Keresman spends many of his days trying to figure out how to improve authorization rates while minimizing fraud. He says the separate risk-control systems of merchants and card issuers often “work against each other, and essentially grind down transactions to the lowest common denominator.”

Such conflicts can worsen the longstanding problem in card payments of declining would-be legitimate transactions. In a recent report, Pleasanton, Calif.-based Javelin Strategy & Research estimated that false declines totaled $118 billion in lost sales for merchants in 2014, while real card fraud added up to only $9 billion (“How False Rejections Cost More Than Actual Fraud,” October).

Keresman estimates that, excluding debit card authorizations declined for non-sufficient funds, 96% of credit and debit card transactions at the point of sale are approved.

“Online, that percentage is less than 80%,” he says. “Some of that [differential] is fraud, but not all of it, not nearly all of it.”

One example Keresman cites of a merchant striking a good balance is the online ticketing system of Amtrak, the national passenger railroad. Amtrak implemented a consumer-authentication system from CardinalCommerce that he says increased authorizations by 7%, while chargebacks due to fraud “went away almost completely.”

Besides 3-D Secure

Others in the payments industry say a modernized 3-D Secure is just one of many weapons against online fraud. Atlanta-based Acculynk Inc., for example, says the coming of EMV has generated new interest in its PaySecure platform that provides a floating PIN pad on the cardholder’s screen for online debit authentication.

The consumer enters the PIN not from key entry, which can be captured by fraudsters, but by mouse clicks or touches on a touch screen. The coordinates from the data entry are encrypted and passed to the issuer.

“Over the last 12 months, we’ve seen significant new interest and merchants and clients,” says Nandan Sheth, president and chief operating officer.

The big merchant acquirer Heartland Payment Systems Inc. also is anticipating increased merchant interest in online fraud control. Princeton, N.J.-based Heartland in late September announced Heartland SecureSubmit, an e-commerce data-protection service that uses data encryption and tokenization to not only shield sensitive cardholder data, but also to reduce merchants’ PCI compliance tasks, says Joe Wysocki, senior director of e-commerce.

SecureSubmit is now integrated with a number of the acquirer’s applications.

“We know that EMV did not help with online commerce,” says Wysocki. “We felt there was an opportunity here for merchants to minimize their cost and scope of PCI compliance.”

Next on the fraud-control front for Heartland is what Wysocki calls “an advanced fraud-screen program for small businesses” that will bring an additional 10 to 12 fraud filters into play. The system currently is in test, he says.

As the need for card-not-present risk reduction increases, the card industry needs to turn away from traditional personal identifying information (PII) for authentication, which can be easily obtained by fraudsters, according to Al Pascual, director of fraud and security at Javelin. Instead, the industry should work on improving assessments based on behavioral metrics, device identification, and other high-tech metrics.

“The reality is that banks need to get away from simply that PII,” Pascual says. “I keep reiterating that because they keep being used more often than they should, over-relied upon.”

Biometrics, however, are one form of PII that can be much harder to crack than passwords, expiration dates, and older forms of personal identifiers. The Apple Pay and Samsung Pay mobile-payment services are using fingerprint authentication, and MasterCard Inc. this past summer said it was testing facial-recognition technology—better known to Millennials as selfies—for payment confirmation.

Endless Debate

The debate about which technology is best for fighting card-not-present fraud will never end, of course, because it’s unlikely that any single solution will solve the problem.

According to CardinalCommerce’s Keresman, the goal of payments providers should be to facilitate as many payments as possible while sustaining the least fraud.

“At the end of the day, what we’re in business for is to enable consumers to buy what they want, when they want, how they want,” he says. “Otherwise we don’t have jobs.”

Check Also

Buying Groups Might—or Might Not—Give Merchants More Negotiating Power with the Card Networks

Card-acceptance costs and network rules weren’t the only subjects covered by the sweeping settlement revealed …

Leave a Reply

Digital Transactions